EPIC has filed an amicus brief in Gubala v. Time Warner urging a federal appeals court to preserve consumers' right to sue cable providers that illegally retain their data. The lower court ruling now on appeal "raises serious separation-of-powers concerns because the decision usurps the power of the legislature to define legal injuries and remedies," EPIC wrote.

Derek Gubala brought a lawsuit alleging that Time Warner held onto his personal information long after he had canceled his service. Retaining customer data when it is no longer needed violates the Cable Communications Policy Act. However, the lower court dismissed the suit, concluding that the plaintiffs had suffered no "injury."

In an amicus brief for the federal appeals court, EPIC explained that the relevant injury is the violation of federal law which provides the basis to bring the lawsuit. EPIC said that the lower court confused "legal injury" with consequential harm, which would be determined later in the case. When a company violates a federal privacy law, EPIC said, that is a "legal injury" and the court must hear the case.

"The lower court was presented with an injury that Congress made legally cognizable under the Cable Act--having one's personal information retained by a cable provider after it is no longer necessary--yet refused to acknowledge the legitimacy of the statutory prohibition," EPIC wrote. In doing so, the court "subverted the core premise of the standing doctrine, converting a shield against judicial overreach into a sword for eviscerating legal rights created by Congress."

"Post-Spokeo, courts must understand that injury-in-fact is a legal injury, distinct from consequential harm," the EPIC brief said. "If courts are allowed to graft a consequential harm requirement onto standing doctrine, they will slam the courthouse doors on litigants who Congress has expressly permitted to enter."

"Courts should not presume, as the lower court did in this case, to label certain rights as 'procedural' rather than 'substantive' where Congress has not done so," EPIC explained. "When a court demands that a plaintiff prove some form of harm beyond the injury that Congress has deemed actionable, it is rejecting Congress's determination of what constitutes a bona fide injury and impermissibly 'substitut[ing] its own judgment for that of the legislature.'"

EPIC has filed numerous amicus briefs in consumer privacy cases clarifying the relationship between "legal injury" and "harm," which have been the source of widespread confusion since the Supreme Court's decision in Spokeo v. Robins. In April, EPIC told the Third Circuit federal appeals court that data breach victims can sue companies when the companies fail to adequately safeguard customer data without having to wait for fraud or identity theft to occur. And in July, EPIC told the Eighth Circuit appeals court that plaintiffs need not prove consequential harm to sue companies that fail to protect their data.

2. White House Releases Reports on Future of Artificial Intelligence

The White House has released two new reports on the impact of Artificial Intelligence on the US economy and related policy concerns.

Preparing for the Future of Artificial Intelligence surveys the current state of AI, its applications, and emerging challenges for society and public policy. According to Ed Felten, Deputy US Chief Technology Officer and EPIC Advisory Board member, the report discusses "how to adapt regulations that affect AI technologies, such as automated vehicles, in a way that encourages innovation while protecting the public" and "how to ensure that AI applications are fair, safe, and governable." The report concludes that "practitioners must ensure that AI-enabled systems are governable; that they are open, transparent, and understandable; that they can work effectively with people; and that their operation will remain consistent with human values and aspirations."

The companion report, National Artificial Intelligence Research and Development Strategic Plan, proposes a strategic plan for federally-funded research and development in AI. The plan identifies seven priorities for federally-funded AI research, including strategies to "understand and address the ethical, legal, and societal implications of AI" and "ensure the safety and security of AI systems."

3. EPIC Opposes DHS Plan to Collect Social Media Identifiers

EPIC recently urged to the Department of Homeland Security to drop a plan to review the social media accounts of individuals seeking to visit the United States. DHS plans to obtain social media identifiers from visitors' travel documents. DHS claims this information would help corroborate other information provided, such as country of origin, and would also provide greater clarity to "possible nefarious activity and connections."

EPIC said this would have a chilling effect on the speech of individuals seeking to visit the US. DHS has a history of monitoring social media for dissent and criticism of the agency, and it is unclear whether criticism of US policy could be grounds for denying entry. "Government programs that potentially scrutinize online comments, dissent, and criticism for the purpose of vetting alien visitors prior to entry into the U.S. send a chilling message to all users of social media--which increasingly provides important forums to share ideas, engage in debates, and explore new ideas," EPIC warned. While DHS currently proposes to make this request voluntary, EPIC noted that failure to provide social media identifiers would also raise suspicion.

This latest DHS proposal targets foreign visitors, but US citizens have also been subject to social media surveillance. In 2011, EPIC obtained documents in that revealed DHS gathered social media activity of individuals who expressed criticism of the agency and the US government. The program also targeted people who used such terms as "cloud," "exercise," and "Mexico." This revelation led to a Congressional hearing in 2012 that revealed bipartisan opposition to the DHS social media monitoring program.

4. FCC Releases Revised Broadband Privacy Plan

The Federal Communications Commission has released a fact sheet outlining a revised proposal for broadband privacy rules. The new draft is a scaled-back version of the FCC's original proposal, and includes numerous industry-requested revisions that would reduce privacy protections for consumers.

The FCC first proposed a set of regulations on "Protecting the Privacy of Customers of Broadband and Other Telecommunications Services" in March of this year. The FCC's proposed privacy rules - both the original and revised versions - would regulate only Internet Service Providers and are based on a limited "transparency, choice, and security" framework. Industry groups have argued that the FCC should further limit the rules by adopting the approach taken by the Federal Trade Commission based largely on "notice and choice." EPIC and other privacy advocates cautioned against further weakening the FCC's modest original plan.

The revised proposal for broadband privacy rules differs from the original plan on several key provisions. The new plan will require ISPs to obtain consumers' opt-in consent only for non-service-related uses of "sensitive" information, which includes web browsing history, app usage, and geolocation. However, information the FCC defines as "non-sensitive" would not be protected unless consumers opt out. The FCC's original proposal required ISPs to obtain opt-in consent before using any consumer data, regardless of sensitivity, for non-service-related purposes like advertising.

The FCC introduced an exception for de-identified customer data in the new rules, which would allow ISPs to use and disclose de-identified data without having to obtain consumers' consent or allowing them to opt-out. The fact sheet does not include oversight or independent verification mechanisms to ensure the adequacy of ISPs' de-identification techniques. ISPs will also be permitted to charge higher prices for basic privacy protections, subject to FCC review.

5. Supreme Court Won't Review Privacy Violations by Facebook, Google

In K.D. v. Facebook, consumers filed a class action over Facebook's use of young children's names and images for behavioral advertising without consent. That practice is currently prohibited in seven states. The plaintiffs asked the Supreme Court to step in after the Ninth Circuit upheld a controversial settlement of the case, which failed to resolve the key privacy concerns raised in the case. In an amicus brief to the Ninth Circuit, EPIC urged the appeals court to overturn the deal, explaining that the settlement is unfair to class members and authorizes continued privacy violations.

Grouley v. Google involved multiple legal challenges in the Third Circuit to Google's tracking of browsing habits that persisted after consumers attempted to block the practice and in spite of the company's own assurances about consumers' ability to opt-out. Consumers called on the Supreme Court to revive their allegations that Google's practices violated the Wiretap Act or Stored Communications Act, which the Third Circuit struck down.

EPIC consistently files amicus briefs in consumer privacy cases to promote enforcement of privacy laws and to defend consumers' ability to seek redress when a violation of law occurs.

News in Brief

WhatsApp Privacy Update: Spain Investigating Broken Privacy Promises

Spain is the latest country to investigateWhatsApp's transfer of user data, including verified user phone numbers, to Facebook. The Spanish Data Protection Agency joins privacy regulators in Germany, India, Italy, and the U.K. that have taken action against WhatsApp's changes to privacy practices that contradict previouspromises. EPIC filed a complaint with the Federal Trade Commission over the policy change in August, and more than a dozen consumer groups have backed these efforts. The Commission said it will "carefully review" EPIC's complaint. The FTC has previously stated, "When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises."

Reuters: US Government Issued Secret Order to Yahoo to Scan All E-mails

Reuters reported today that Yahoo scanned the private email of Yahoo users pursuant to a secret directive issued by the FBI. The email scanning technique, based on a search for key terms, recalled a similar FBI program "Carnivore" that was found to capture far more information than authorized, according to documents obtained by EPIC under the Freedom of Information Act. The news report also renews concerns about the scope of US Internet surveillance. The European Court of Justice struck down an EU-US data transfer deal last year, following revelations that US Internet firms collaborated with the NSA to enable mass surveillance. A related case, Irish Data Protection Commissioner v. Facebook, is now pending. The Irish High Court has selected EPIC as "a friend of the court" to "counterbalance" the submission of the United States intelligence community.

In response to a Freedom of Information Act request filed by EPIC, the Federal Communications Commission has released communications about the FCC's broadband privacy rulemaking. One of the key proposals for the privacy rules concerns the scope of consumer data covered by the rule, such as a customer's IP address. An email exchange between Google's Vinton Cerf and FCC Chairman Tom Wheeler reveals Google's backdoor efforts to narrow the scope of the proposed rules to exclude privacy protections for customers' IP addresses. While EPIC has repeatedlyargued that the FCC's rules can and should go further, the current proposal would safeguard some consumer data, including IP addresses.

Recent EPIC publications:

The Privacy Law Sourcebook is the leading resource for students, attorneys, researchers, and journalists interested in privacy law in the United States and around the world. It includes major US privacy laws such as the Fair Credit Reporting Act, the Communications Act, the Privacy Act, the Family Educational Rights and Privacy Act, the Electronic Communications Privacy Act, the Video Privacy Protection Act, and the Foreign Intelligence Surveillance Act. The Sourcebook also includes key international privacy frameworks including the OECD Privacy Guidelines, the OECD Cryptography Guidelines, and European Union Directives for both Data Protection and Privacy and Electronic Communications. The Privacy Law Sourcebook 2016 (Kindle Edition) has been updated and expanded to include recent developments such as the United Nations Resolution on Right to Privacy, the European Union General Data Protection Regulation, the USA Freedom Act, and the US Cybersecurity Information Sharing Act. The Sourcebook also includes an extensive resources section with useful websites and contact information for privacy agencies, organizations, and publications.

This teachable casebook provides an introduction to the law and policy of modern communications. The book is organized by analytic concepts instead of current industry lines, which are constantly made out-of-date by technological convergence. The basic ideas--power, entry, pricing, access, classification, bad content, and intermediary liability--equip students with a durable and yet flexible intellectual structure that can help parse a complex and ever-changing field.

The Third Edition of "Privacy Law and Society" is the most comprehensive casebook on privacy law ever produced. It traces the development of modern privacy law, from the early tort cases to present day disputes over drone surveillance and facial recognition. The text examines the philosophical roots of privacy claims and the significant court cases and statues that have emerged. The text provides detailed commentary on leading cases and insight into emerging issues. The text includes new material on developments in the European Union, decisions grounded in fundamental rights jurisprudence, and exposes readers to current debates over cloud computing, online profiling, and the role of the Federal Trade Commission. Privacy Law and Society is the leading and most current text in the privacy field.

The threats to privacy are well known: The National Security Agency tracks our phone calls; Google records where we go online and how we set our thermostats; Facebook changes our privacy settings when it wishes; Target gets hacked and loses control of our credit card information; our medical records are available for sale to strangers; our children are fingerprinted and their every test score saved for posterity; and small robots patrol our schoolyards while drones may soon fill our skies.

The contributors to this anthology don't simply describe these problems or warn about the loss of privacy -- they propose solutions